CVE-2026-48065
Heap Overflow in pam_usb Due to Integer Overflow
Publication date: 2026-05-27
Last updated on: 2026-05-27
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| mcdope | pam_usb | to 0.9.1 (exc) |
| mcdope | pam_usb | From 0.9.1 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-190 | The product performs a calculation that can produce an integer overflow or wraparound when the logic assumes that the resulting value will always be larger than the original value. This occurs when an integer value is incremented to a value that is too large to store in the associated representation. When this occurs, the value may become a very small or negative number. |
| CWE-122 | A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc(). |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The CVE-2026-48065 vulnerability in pam_usb allows a heap-based buffer overflow on 32-bit systems, potentially leading to high impacts on confidentiality, integrity, and availability of the system.
Because the vulnerability can compromise confidentiality and integrity, it may affect compliance with standards and regulations such as GDPR and HIPAA, which require protection of sensitive data and system integrity.
However, exploitation requires write access to a root-owned configuration file, limiting the attack vector to scenarios where an attacker already has elevated privileges or has exploited other vulnerabilities.
Therefore, while the vulnerability poses a risk to compliance by potentially exposing or corrupting sensitive data, the limited exploitability reduces the likelihood of direct impact under normal secure configurations.
Can you explain this vulnerability to me?
The vulnerability CVE-2026-48065 in pam_usb involves an integer overflow in heap memory allocation on 32-bit systems. Specifically, the variable n_devices, which counts devices from an XML configuration file, is multiplied by the size of a device structure without an upper bound check. On 32-bit targets, this multiplication can wrap around the size_t type, causing the memory allocator xmalloc() to allocate a much smaller buffer than needed. Since xmalloc() accepts small non-NULL allocations, subsequent writes to this undersized buffer overflow the heap.
This issue occurs only on 32-bit systems like armv7l and i686 and requires write access to the pam_usb configuration file, which is typically root-owned. The vulnerability is fixed by enforcing a maximum device limit (PUSB_MAX_DEVICES) before allocation to prevent the overflow.
How can this vulnerability impact me? :
This vulnerability can lead to a heap-based buffer overflow, which may allow an attacker to corrupt memory, potentially causing crashes, arbitrary code execution, or privilege escalation.
However, exploitation requires write access to the pam_usb configuration file, which is usually restricted to root, limiting the attack surface. The vulnerability affects confidentiality, integrity, and availability, as indicated by its CVSS score of 6.7 with high impact on these aspects.
The exploitability is limited to 32-bit systems, and on 64-bit systems the memory requirements prevent overflow.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking the version of pam_usb installed on your system and verifying if it is 0.9.0 or earlier, as these versions are affected.
Additionally, detection involves verifying if the system is running on a 32-bit architecture such as armv7l or i686, since the vulnerability affects only 32-bit targets.
You should also check the permissions and contents of the configuration file /etc/security/pam_usb.conf to see if it is writable by unauthorized users, as exploitation requires write access to this file.
Suggested commands include:
- Check pam_usb version: `pam_usb --version` or check package version via your package manager.
- Check system architecture: `uname -m` (look for armv7l or i686).
- Check permissions on the config file: `ls -l /etc/security/pam_usb.conf`.
- Inspect the number of device entries in the config file (to detect unusually large n_devices): `grep -c '<device>' /etc/security/pam_usb.conf` or parse the XML config.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include upgrading pam_usb to version 0.9.1 or later, where the vulnerability is fixed by enforcing an upper bound on the number of devices allocated.
If upgrading is not immediately possible, ensure that the /etc/security/pam_usb.conf file is secured with strict permissions to prevent unauthorized write access, as exploitation requires the ability to modify this configuration file.
Additionally, limit the number of device entries in the configuration file to a reasonable number to avoid triggering the integer overflow.
Consider applying any available patches or backported fixes that add the PUSB_MAX_DEVICES limit to prevent the overflow.